Re: [squid-users] My Squid Under Attack - Help with info please.

From: Henrik Nordstrom <[email protected]>
Date: Mon, 30 Dec 2002 06:49:55 +0100

Cliff wrote:

> I know about port 25. And am not an open relay
> according to my testing with the ORDB testing
> services that I have used. I have just checked
> again...and the results are negative.
>
> What does this have to do with port 3128?
>
> Why does using the HTTP connect method to port
> 3128 result in some sort of connection to port 25?
>
> What is the exact nature of the exploit?

If you allow CONNECT to port 25 then the hacker may jump via your Squid
proxy on port 3128 to connect to port 25 on any other server, and can
most likely circumvent any anti-relay rules of your mail transport agent
as to your mail-transport-agent it will look like the request is coming
from your machine.

Exact nature:

Spammer connects to your proxy on port 3128, instructs the proxy to
connect to port 25 on your (or someones else) mailserver and then sends
the email. To the mail systems the source of the email is your proxy
server.

Regards
Henrik
Received on Sun Dec 29 2002 - 22:50:28 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:15 MST